Three days after ransomware attackers breached Kesaya, it’s in to limelight that attack is widespread. The attackers claim to have compromised more than 1 million computers, and demand $70 million to decrypt the affected devices.

Kaseya’s software is used by Managed Service Providers to perform IT tasks remotely, the Russia-linked REvil ransomware group deployed a malicious software update exposing providers who use the platform, and their clients.

The Dutch Institute for Vulnerability Disclosure revealed that it appears the exploit used for the breach was same one they discovered and were in the process of addressing when the attackers struck.

“One of the products we have been investigating is Kaseya VSA. We discovered severe vulnerabilities in Kaseya VSA and reported them to Kaseya, with whom we have been in regular contact since then.”

DVID Statement

At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.

One of the companies most noticeably impacted by the attack is Coop, a line of over 800 grocery stores in Sweden that closed Saturday as the attack shut down its cash registers.

REvil’s “Happy Blog,” claiming that more than a million devices have been infected and setting a ransom demand of $70 million in Bitcoin to unlock all of them.

REvil Statement

Three days after the attack, Kaseya’s SaaS cloud servers remain offline. The company says it will provide an updated timeline for server restoration this evening, as well as more technical details of the attack to help recovery efforts by customers and security researchers